/* NJohnson9402 / natethedba.wordpress.comAn example of how to check for orphan

1. /* NJohnson9402 / natethedba.wordpress.com
2. An example of how to check for orphaned database users (users that do not map to a server login).
3. Basically the idea here is to take the output of `sys.sp_helpuser` and utilize it to find & fix.
4. There are much cooler ways out there, such as dbatools.io/functions/repair-dbaorphanuser/, but
5. I have occasionally seen these not work in odd situations. Plus, if your login names and user names
6. don't exactly match, this method could be extended to enter custom mappings-- you'd simply add a new
7. column to #HelpUser, say [NewLoginName], and use that in the 'fix-it' statement-generator query.
8. */
9. USE MyDatabase;
10.  
11. --For storing the output of sys.sp_helpuser
12. IF (OBJECT_ID('tempdb.dbo.#HelpUser') IS NOT NULL)
13. DROP TABLE #HelpUser;
14.  
15. CREATE TABLE #HelpUser (
16. [UserName] nvarchar(44)
17. , [RoleName] nvarchar(16)
18. , [LoginName] nvarchar(44)
19. , [DefDBName] nvarchar(12)
20. , [DefSchemaName] nvarchar(6)
21. , [UserID] char(10)
22. , [SID] varbinary(85)
23. );
24.  
25. --Get the output
26. INSERT #HelpUser
27. EXEC sys.sp_helpuser;
28.  
29. --Remove "known system users" (we don't care about them)
30. DELETE FROM #HelpUser
31. WHERE UserName IN ('dbo', 'guest', 'sys', 'INFORMATION_SCHEMA')
32. OR UserName LIKE 'NT AUTHORITY\%' OR UserName LIKE 'BUILTIN\%'
33.  
34. --Unique-ify, & remove the role column
35. DELETE hu
36. FROM #HelpUser hu
37. JOIN (SELECT UserName, MaxRole = MAX(RoleName)
38. FROM #HelpUser
39. GROUP BY UserName
40. ) hu2
41. ON hu.UserName = hu2.UserName
42. AND hu.RoleName < hu2.MaxRole
43.  
44. ALTER TABLE #HelpUser
45. DROP COLUMN RoleName;
46.  
47. --Add a flag for "type" (SQL login vs. Windows)
48. ALTER TABLE #HelpUser
49. ADD UserType varchar(5);
50.  
51. --Populate said flag
52. UPDATE hu SET hu.UserType = (CASE WHEN usr.issqluser = 1 THEN 'SQL' WHEN usr.isntname = 1 then 'WIN' ELSE '?' END)
53. FROM #HelpUser hu
54. JOIN sys.sysusers usr
55. ON hu.SID = usr.sid
56.  
57. --Find the users w/ a NULL LoginName (i.e. not mapped to a Login)
58. SELECT * FROM #HelpUser
59. WHERE LoginName IS NULL
60.  
61. --Generate "fix statements", assuming name-matching
62. /*
63. SELECT FixIt = 'ALTER USER ' + QUOTENAME(hu.UserName) + ' WITH LOGIN = ' + QUOTENAME(hu.UserName) + ';'
64. FROM #HelpUser hu
65. JOIN master.sys.syslogins sl
66. ON hu.UserName = sl.name
67. WHERE hu.LoginName IS NULL
68. */
69.  
70. DECLARE @Sql varchar(MAX);
71. SELECT @Sql = STUFF((
72. SELECT ';' + CHAR(10) + 'ALTER USER ' + QUOTENAME(hu.UserName) + ' WITH LOGIN = ' + QUOTENAME(hu.UserName)
73. FROM #HelpUser hu
74. JOIN master.sys.syslogins sl
75. ON hu.UserName = sl.name
76. WHERE hu.LoginName IS NULL
77. FOR XML PATH('')
78. ), 1, 2, '') + ';'
79.  
80. PRINT (@Sql);
81. --EXEC (@Sql); --UNCOMMENT this line to actually execute the fixes!
82.  
83.  
84. --Check again to see if we've fixed the problem!
85. --Store in a different temp-table just in case we want to compare
86. IF (OBJECT_ID('tempdb.dbo.#FixedUser') IS NOT NULL)
87. DROP TABLE #FixedUser;
88.  
89. CREATE TABLE #FixedUser (
90. [UserName] nvarchar(44)
91. , [RoleName] nvarchar(16)
92. , [LoginName] nvarchar(44)
93. , [DefDBName] nvarchar(12)
94. , [DefSchemaName] nvarchar(6)
95. , [UserID] char(10)
96. , [SID] varbinary(85)
97. );
98.  
99. --Get the output
100. INSERT #FixedUser
101. EXEC sys.sp_helpuser;
102.  
103. --Remove "known system users" (we don't care about them)
104. DELETE FROM #FixedUser
105. WHERE UserName IN ('dbo', 'guest', 'sys', 'INFORMATION_SCHEMA')
106. OR UserName LIKE 'NT AUTHORITY\%' OR UserName LIKE 'BUILTIN\%'
107.  
108. --Check for unmapped
109. SELECT * FROM #FixedUser
110. WHERE LoginName IS NULL